pgp4pine is a program which is used to interface various PGP implementations
with the popular Pine mail reading package. Version 1.75-6 of pgp4pine fails
to properly identify expired keys when working with the Gnu Privacy Guard
program (GnuPG). This failure may result in the transmission of sensitive
information in clear text across the network.

2. Problem Description

Version 1.75-6 of pgp4pine does not include code to check if public keys
are expired when loading keys from the GnuPG openPGP implementation. If a
user has an expired public key in their keyring and attempts to encrypt a
message to a recipient with that expired public key, pgp4pine will fail to
recognize that the key is expired. pgp4pine will then issue a command to
GnuPG to encrypt the email message with the expired key. The encryption
will not be successful, GnuPG will return an error message due to the
invalid key. pgp4pine will not detect the error which occurred when
encrypting the text and will return program flow control to Pine. Pine
will then transmit the message in the clear. No notice that an error
occurred will be provided to the user by pgp4pine.

To duplicate the error on the command line:

bash$ pgp4pine -e -i /tmp/in.tmp -o /tmp/out.tmp -r (*R)

* Where R is a recipient with an expired public key in your keyring.

3. Solution

A patch, written by V. Alex Brennen, has been provided with this advisory.
The patch consists of code modifications which allow pgp4pine to recognize
and ignore expired keys when working with GnuPG.

4. About This Advisory

This advisory was produced as part of the CryptNET Free Cryptography
Auditing Project. CryptNET is a group working on the development of
Free Software cryptographic solutions. As part of its mission,
CryptNET has undertaken The Free Cryptography Auditing Project. The
project is an effort to audit some of the more popular free software
cryptographic programs licensed under the GNU General Public License.
If you would like to become involved in this project, please see the
CryptNET web site.

John Sheehy, an IBM certified specialist with e-techservices.com
(http://www.e-techservices.com/), assisted with the discovery and
identification of this bug.